1. Home
  2. Wireless Networking
  3. MAC address and Wifi DDoS

MAC address and Wifi DDoS

Hello Group,

I have a linksys WAG54gX2 SRX200 and decided lately and in addition to WPA encryption to apply MAC address filtering which would allow only my 1 x Wireless Desktop and 1 x Laptop.

But now and looking to my /var/log/messages, I see the following Mac Address trying to gain access which is normal when someone is trying to connect to my wifi.

Due to the number of consecutive error messages below and time frame in between, I thought may be the attacker is applying some sort of Denial of service attack that would may be disable such filtering, I do not know but just thought to ask the experts here.

Thanks in advance.

-aljuhani

Below my /var/log/messages.

Wed, 2007-04-11 18:48:16 - aniWsmLimRecvMsgs.c:1115 Station (0, 8)

00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:16 - aniWsmLimRecvMsgs.c:1115 Station (0, 9) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:16 - aniWsmLimRecvMsgs.c:1115 Station (0, 10) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:16 - aniWsmLimRecvMsgs.c:1115 Station (0, 11) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:16 - aniWsmLimRecvMsgs.c:1115 Station (0, 12) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:16 - aniWsmLimRecvMsgs.c:1115 Station (0, 13) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:16 - aniWsmLimRecvMsgs.c:1115 Station (0, 14) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:16 - aniWsmLimRecvMsgs.c:1115 Station (0, 15) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:16 - aniWsmLimRecvMsgs.c:1115 Station (0, 4) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:16 - aniWsmLimRecvMsgs.c:1115 Station (0, 5) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:16 - aniWsmLimRecvMsgs.c:1115 Station (0, 6) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:58 - aniWsmLimRecvMsgs.c:1115 Station (0, 7) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:59 - aniWsmLimRecvMsgs.c:1115 Station (0, 8) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:59 - aniWsmLimRecvMsgs.c:1115 Station (0, 9) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:59 - aniWsmLimRecvMsgs.c:1115 Station (0, 10) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:59 - aniWsmLimRecvMsgs.c:1115 Station (0, 11) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:59 - aniWsmLimRecvMsgs.c:1115 Station (0, 12) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:59 - aniWsmLimRecvMsgs.c:1115 Station (0, 13) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:59 - aniWsmLimRecvMsgs.c:1115 Station (0, 14) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:59 - aniWsmLimRecvMsgs.c:1115 Station (0, 15) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:59 - aniWsmLimRecvMsgs.c:1115 Station (0, 4) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:59 - aniWsmLimRecvMsgs.c:1115 Station (0, 5) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:48:59 - aniWsmLimRecvMsgs.c:1115 Station (0, 6) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:49:10 - aniWsmLimRecvMsgs.c:1115 Station (0, 9) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:49:10 - aniWsmLimRecvMsgs.c:1115 Station (0, 10) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:49:10 - aniWsmLimRecvMsgs.c:1115 Station (0, 11) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:49:10 - aniWsmLimRecvMsgs.c:1115 Station (0, 12) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:49:10 - aniWsmLimRecvMsgs.c:1115 Station (0, 13) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:49:10 - aniWsmLimRecvMsgs.c:1115 Station (0, 14) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:49:10 - aniWsmLimRecvMsgs.c:1115 Station (0, 15) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:49:10 - aniWsmLimRecvMsgs.c:1115 Station (0, 4) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:49:10 - aniWsmLimRecvMsgs.c:1115 Station (0, 5) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:49:10 - aniWsmLimRecvMsgs.c:1115 Station (0, 6) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:49:10 - aniWsmLimRecvMsgs.c:1115 Station (0, 7) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:49:10 - aniWsmLimRecvMsgs.c:1115 Station (0, 8) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:50:12 - aniWsmLimRecvMsgs.c:1115 Station (0, 9) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:50:12 - aniWsmLimRecvMsgs.c:1115 Station (0, 10) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:50:12 - aniWsmLimRecvMsgs.c:1115 Station (0, 11) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:50:12 - aniWsmLimRecvMsgs.c:1115 Station (0, 12) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:50:12 - aniWsmLimRecvMsgs.c:1115 Station (0, 13) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:50:12 - aniWsmLimRecvMsgs.c:1115 Station (0, 14) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:50:12 - aniWsmLimRecvMsgs.c:1115 Station (0, 15) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:50:13 - aniWsmLimRecvMsgs.c:1115 Station (0, 4) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:50:13 - aniWsmLimRecvMsgs.c:1115 Station (0, 5) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:50:13 - aniWsmLimRecvMsgs.c:1115 Station (0, 6) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:50:13 - aniWsmLimRecvMsgs.c:1115 Station (0, 7) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON Wed, 2007-04-11 18:50:13 - aniWsmLimRecvMsgs.c:1115 Station (0, 8) 00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON
Reply to
aljuhani
Loading thread data ...

On 11 Apr 2007 09:53:33 -0700, "aljuhani" wrote in :

MAC addresses are too easily spoofed for MAC address filtering to be of any real value; i.e., it's not worth the trouble. WPA with a strong passphrase is all you really need.

Probably not a DoS attack. Might even be a device of your own. Anyone worth worrying about will be spoofing in any event.

Reply to
John Navas

"aljuhani" hath wroth:

00:16:6f:3c:9e:cf is an Intel client device. Does your wireless desktop or laptop use an Intel wireless chipset? Do you own any other wireless device that uses an Intel chipset? Any game machines with Wi-Fi?

My guess(tm) is that someone has their wireless client set to connect to your access point by default. Note that "connect" here means the initial wireless "association", before any negotiated encryption key, authentication, or login. Without finishing the actual connection ordeal and getting past your Access Control List, I can't tell whether this is an attacker, misconfigured wireless device, or overly aggressive wireless client. It doesn't look like Kismet or NetStumbler probes (but I'm not sure).

It would be really tempting to allow them to connect and then sniff the traffic to see what they try to do. If it's a computer with open shares, snooping around their computer is usually sufficient to identify them.

You can also determine if they're using 802.11b or 802.11g to help identify the culprit. Just set your SRX200 to "802.11b only" or "802.11g only" to see which one works. That might help identify the culprit.

If you just want them to go away, you might try changing the SSID on the SRX200. (Changing the channel will do nothing). If they are set to connect to your specific SSID, they won't follow the change. However, if they have their wireless client set to "connect to any available network", they will follow the change. If it's an attacker, it may not initially follow the change in SSID, but might follow when they realize what happened.

Reply to
Jeff Liebermann

no not anything I own.

Well I have actually changed the SSID and the logs provided is after changing so it appears to be deliberate attempts and is continuing upto now.

Will give him the access as you have suggested to be able at least identify him or if I am lucky enough he will check a pop3 email account and give me the pleasure disclosing his data.

Thanks for the input Jeff.

Rgds.

-aljuhani

Reply to
aljuhani

On 11 Apr 2007 11:59:21 -0700, "aljuhani" wrote in :

Not necessarily -- many wireless clients are configured to try to connect to any available access point, often by accident.

Reply to
John Navas

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.